Sylpheed is a lightweight email client and newsreader.
Sylpheed-Claws is a 'bleeding edge' version of Sylpheed. They both
support the import of address books in LDIF (Lightweight Directory
Interchange Format).

Colin Leroy reported buffer overflow vulnerabilities in Sylpheed
and Sylpheed-Claws. The LDIF importer uses a fixed length buffer to
store data of variable length. Two similar problems exist also in
the Mutt and Pine addressbook importers of Sylpheed-Claws.

By convincing a user to import a specially-crafted LDIF file
into the address book, a remote attacker could cause the program to
crash, potentially allowing the execution of arbitrary code with
the privileges of the user running the software.

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

GTK+ (the GIMP Toolkit) is a toolkit for creating graphical user
interfaces. The GdkPixbuf library provides facilities for image
handling. It is available as a standalone library and also packaged
with GTK+ 2.

iDEFENSE reported a possible heap overflow in the XPM loader
(CVE-2005-3186). Upon further inspection, Ludwig Nussel discovered
two additional issues in the XPM processing functions : an integer
overflow (CVE-2005-2976) that affects only gdk-pixbuf, and an
infinite loop (CVE-2005-2975).

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

Mandriva Linux

Egroupware contains embedded copies of several php based
projects, including phpldapadmin and phpsysinfo.

Phpldapadmin before 0.9.6c allows remote attackers to gain
anonymous access to the LDAP server, even when disable_anon_bind is
set, via an HTTP request to login.php with the anonymous_bind
parameter set. (CAN-2005-2654)

The image loading library of the gdk-pixbug/gtk2 package is
vulnerable to several security-related bugs. This makes every
application (mostly GNOME applications) which is linked against
this library vulnerable too.

A carefully crafted XPM file can be used to execute arbitrary
code while processing the image file. (CVE-2005-3186)

Additionally Ludwig Nussel from the SuSE Security-Team
discovered an integer overflow bug that can be used to execute
arbitray code too (CVE-2005-2976), and an infinite loop which leads
to a denial-of-service bug. (CVE-2005-2975)

2) Solution or Work-Around

none

3) Special Instructions and Notes

Please restart your system to make the update completely
effective.

4) Package Location and Checksums

The preferred method for installing security updates is to use
the YaST Online Update (YOU) tool. YOU detects which updates are
required and automatically performs the necessary steps to verify
and install them. Alternatively, download the update packages for
your distribution manually and verify their integrity by the
methods listed in Section 6 of this announcement. Then install the
packages using the command

rpm -Fhv <file.rpm>

to apply the update, replacing <file.rpm> with the
filename of the downloaded RPM package.

SUSE security announcements are published via mailing lists and
on Web sites. The authenticity and integrity of a SUSE security
announcement is guaranteed by a cryptographic signature in each
announcement. All SUSE security announcements are published with a
valid signature.

To verify the signature of the announcement, save it as text
into a file and run the command

gpg --verify <file>

replacing <file> with the name of the file where you saved
the announcement. The output for a valid signature looks like:

If the security team's key is not contained in your key ring,
you can import it from the first installation CD. To import the
key, use the command

gpg --import gpg-pubkey-3d25d3d9-36e12d04.asc

Package authenticity verification:

SUSE update packages are available on many mirror FTP servers
all over the world. While this service is considered valuable and
important to the free and open source software community, the
authenticity and the integrity of a package needs to be verified to
ensure that it has not been tampered with.

There are two verification methods that can be used
independently from each other to prove the authenticity of a
downloaded file or RPM package:

Using the internal gpg signatures of the rpm package

MD5 checksums as provided in this announcement

The internal rpm package signatures provide an easy way to
verify the authenticity of an RPM package. Use the command

rpm -v --checksig <file.rpm>

to verify the signature of the package, replacing
<file.rpm> with the filename of the RPM package downloaded.
The package is unmodified if it contains a valid signature from
build@suse.de with the key ID
9C800ACA. This key is automatically imported into the RPM database
(on RPMv4-based distributions) and the gpg key ring of 'root'
during installation. You can also find it on the first installation
CD and at the end of this announcement.

If you need an alternative means of verification, use the
md5sum

command to verify the authenticity of the packages. Execute the
command

md5sum <filename.rpm>

after you downloaded the file from a SUSE FTP server or its
mirrors. Then compare the resulting md5sum with the one that is
listed in the SUSE security announcement. Because the announcement
containing the checksums is cryptographically signed (by security@suse.de), the checksums show
proof of the authenticity of the package if the signature of the
announcement is valid. Note that the md5 sums published in the SUSE
Security Announcements are valid for the respective packages only.
Newer versions of these packages cannot be verified.

SUSE runs two security mailing lists to which any interested
party may subscribe:

The information in this advisory may be distributed or
reproduced, provided that the advisory is not modified in any way.
In particular, the clear text signature should show proof of the
authenticity of the text.

SUSE Linux Products GmbH provides no warranties of any kind
whatsoever with respect to the information contained in this
security advisory.

Please enable Javascript in your browser, before you post the comment! Now Javascript is disabled.